Data Leakage
Data leakage in AI systems happens at three layers. At training time, models can memorise rare strings from their corpus — phone numbers, passwords, API keys committed to public code — and an attacker who knows the right context can prompt the model to regurgitate them. At inference time, applications often pass sensitive context to third-party APIs (OpenAI, Anthropic, Bedrock) without redaction; this content is then potentially logged, retained, or used to improve future models depending on the vendor's terms. At the application layer, multi-tenant deployments routinely leak across users when caching, logging, or vector-store indexing is misconfigured. Indirect prompt injection compounds all three by giving an attacker a way to ask the model to repeat what it should not. Defenses: PII redaction in prompts and outputs, differential privacy in training, vendor data-use review, and strict tenant boundaries in shared infrastructure.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-32026 | OpenClaw: sandbox path traversal leaks host temp files | OpenClaw | 6.5 |
| HIGH | CVE-2026-32030 | OpenClaw: path traversal exposes host files via SCP | OpenClaw | 7.5 |
| LOW | CVE-2026-32897 | OpenClaw: auth token leak via prompt hash fallback | OpenClaw | 3.7 |
| HIGH | CVE-2026-32914 | OpenClaw: access control bypass in config/debug handlers | OpenClaw | 8.8 |
| CRITICAL | CVE-2026-32913 | OpenClaw: auth header leak via cross-origin redirect | OpenClaw | 9.3 |
| MEDIUM | CVE-2026-32896 | OpenClaw: auth bypass via webhook passwordless fallback | OpenClaw | 4.8 |
| HIGH | CVE-2026-32982 | OpenClaw: Telegram bot token leaked in media fetch errors | OpenClaw | 7.5 |
| HIGH | CVE-2026-33575 | OpenClaw: gateway credential exposed in pairing setup codes | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-35635 | OpenClaw: webhook route hijack bypasses DM access controls | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-35636 | OpenClaw: session isolation bypass exposes parent sessions | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35644 | OpenClaw: credential exposure via gateway channel URLs | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35667 | OpenClaw: SIGKILL bypass skips security-sensitive cleanup | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-40037 | OpenClaw: request body replay leaks credentials via redirect | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-52816 | Gogs: XSS via data URI in ipynb sanitizer endpoint | gogs.io/gogs | - |
| LOW | CVE-2026-55542 | Snipe-IT: auth bypass exposes S3 signature image URLs | snipe/snipe-it | - |
| HIGH | CVE-2026-56270 | Flowise: auth bypass exposes OAuth secrets in cleartext | Flowise | 7.5 |
| MEDIUM | CVE-2026-54033 | LibreChat: SSRF via custom API baseURL exposes internal network | 6.5 | |
| MEDIUM | CVE-2026-46406 | Claude Code: predictable temp file leaks data, symlink write | claude-code | - |
| HIGH | CVE-2025-71335 | Flowise: password change fails to revoke sessions | Flowise | 8.1 |
| UNKNOWN | CVE-2026-6658 | nbconvert: stored XSS via unescaped Mermaid diagrams | - |